===================================
MediaGoblin 0.8.1: Security release
===================================

:date: 2015-12-20 10:30
:author: Jessica Tallon
:tags: release, security, oauth

Basic Summary
=============

We have had a security problem in our OAuth implementation reported to
us privately and have taken steps to address it. The security problem
affects all versions of GNU MediaGoblin since 0.5.0. I have created a patch
for this and
`released a minor version 0.8.1 <http://mediagoblin.readthedocs.org/en/v0.8.1/>`_
(see the `release notes page <http://mediagoblin.readthedocs.org/en/v0.8.1/siteadmin/relnotes.html>`_).
It's strongly advised that everyone upgrade as soon as they can.

In order to exploit the security issue, an attacker must have had
access to a logged in session to your GNU MediaGoblin account. If you
have kept your username and password secret, logging in only over
HTTPS and you've not left yourself logged in on publicly accessible
computers, you should be safe.  However it's still advised all users
take the following precautions, listed below.

Users should check their authorized clients. Any client which looks
unfamiliar to you, you should deauthorize. To check this:

1) Log in to the GNU MediaGoblin instance
2) Click the drop down arrow in the upper right
3) Click "Change account settings"
4) At the bottom click the "Deauthorize applications" link

If you are unsure of any of these, click "Deauthorize".

I would like to thank Dylan Jeffers (author of Goblinoid) for finding
and reporting this to us in a responsible manner so that we were able
patch this.


Technical Information
=====================

The security issue was caused by the verification of the OAuth
verifier code. There the proper checks were not occurring to validate
the verifier code matched the one issued to the request.

This only affected those who clicked the verifier link whilst being
logged in and entered a different code. The assignment of the user to
the access token only occurs when you go to the authorization page
whilst being logged in. If the link isn't clicked with the user logged
in no user will be assigned to the access token and a client attempts
to use it will be denied as the endpoints won't be able to look up the
requesting user.

A `patch has been made <http://git.savannah.gnu.org/cgit/mediagoblin.git/commit/?id=86ee2d1a0e9057e26add65807191fc28b0eec568>`_
should you wish to view the fix.
